Hey folks - thank you all for the ongoing discussion and diligence from our community, it makes it so much easier for us all to combat this together.
Thought I’d share a couple of insights on all of the topics.
As people know, we’ve had a rise in phishing incidents within the hospitality industry over the past few months, and Mews has been targeted along with a number of other growing hospitality sites. As highlighted in this thread, it is an incredibly widespread and co-ordinated set of events against our whole industry.
The primary attack vector that is being used is what we’d call typosquatting phishing - that is, they’re standing up fake websites that look and feel like the real thing (e.g. app.meows.com as opposed to app.mews.com). They then pay google to appear top of the search results for things like ‘mews login’, so that your hotel staff are more likely to get the fake ad, and so be directed to the fake phishing site.
We actively remediate this as they are detected, and so can minimise the impact for our customers, but it still doesn’t prevent one of your hotel employees from giving over their credentials.
As already highlighted, 2FA is not a silver bullet on this - typically, someone willing to give over their username and password to an attacker is also likely to give over their 2FA code.
Some share on some of the things we’ve done/are doing to mitigate these attackers. This is very much an endless game of chess in the hospitality industry unfortunately though, as the attackers can and will pivot approach. Our aim is to create as many layers of security as we can (Defence in Depth) to reduce the likelihood of attack, and mitigate the impact of any attack that is seen.
Activities
Some of these are current, some of them are prioritised on our roadmap, but larger initiatives.
- 2FA everywhere - as already highlighted, there was a big push to ensure 2FA across our whole customerbase after this phishing campaign started. Although not 100% effective, it helps massively to mitigate.
- Frustration Techniques - we have modified areas of the software to make attack less effective. E.g. removing the ability to see personally identifiable information if you don’t have 2FA enabled.
- Device Detection - folks will have seen we rolled out device detection recently, and so you get an email when you login to the site highlighting if it comes from a new location. This was expanded in the past week to improve reliability, and we are now exploring device approval (so that login only happens if you approve the new location/device).
- Improved Access Controls - improving overall role based access in the product so that (for example) housekeeping staff only have access to those areas of the product that they need.
- Improved Identity - rolling out an identity solution across our whole ecosystem, so that there is a single login for all of our products. The added benefit on this is that it also will come out of the box with things like support for passkeys mentioned above, and many other aspects of securing identity.
- Improving Self-Serve Visibility - enabling you to better review activity taken by your staff across the product
This is just some of the high level, but there are a number of other areas that we are also focusing in on. All of the discussion on threads like this feeds into our roadmap for consideration, so it is really appreciated.
Cheers,
Terry